Obfuscated URLs within iframes

Tuesday, August 17, 2010

Issue There has been discussion today about a Firefox feature that warns users when a site’s URL is deceptive. When a Firefox user visits a site with a url that might be deceptive (e.g. http://www.good.com@evil.com/) , Firefox will stop the load and confirm with the user that they are really visiting the site they expected to visit (in this example, evil.com is the actual site loaded). The discussion today has identified the fact that this same warning is not presented when an iframe on the page attempts to load such a URL.

Impact to Users This issue poses very low risk to users. This attack relies on user confusion about the true destination of a link, and only someone examining the HTML source of the page would ever see the deceptive URL. Most users do not view the source of loading pages, and are therefore unlikely to be impacted by this attack.

Status We are aware of the discussion. There is currently no fix in plan since Mozilla does not believe this can be used to attack users. Firefox ships with built-in phishing and malware protection that warns users if they are attempting to visit a dangerous URL, and these attempts at deception do not impact that protection.